A Question for the Judges: Can the FTC Regulate Cybersecurity?

Another firm is challenging the Federal Trade Commission’s authority to regulate corporate cybersecurity.

The Federal Trade Commission building in Washington D.C.

Bloomberg News

Medical testing laboratory LabMD Inc. is fighting back against an August FTC complaint that alleged the company failed to protect consumers’ personal data.

The move comes as Wyndham Worldwide Corp.continues its legal battle with the regulator, which has faulted the hotelier for a data breach. The outcome of that case could help determine the scope of the agency’s authority.

Lawyers for the two firms say the FTC has no authority to regulate cybersecurity. “Both the Wyndham and the LabMD cases show businesses are ready to force this issue with the FTC,” said Craig Newman, partner at Richards Kibbe & Orbe LLP and chief executive of the Freedom2Connect Foundation, a nonprofit organization that opposesIinternet censorship.

The FTC filed a complaint against LabMD in August alleging that the firm failed to reasonably protect data. It alleged that information on more than 9,000 consumers was found on a file-sharing network and that LabMD documents with “sensitive personal information” of at least 500 consumers were “found in the hands of identity thieves.”

The agency faulted the company for allegedly lax data-security practices and proposed an order that would require the firm to implement information-security improvements and send data-breach notices to customers. But LabMD fought back, disputing the FTC’s authority and saying its data-security practices are covered by other laws, including the Health insurance Portability and Accountability Act of 1996 or HIPAA, with which the firm said it was in compliance.

The dispute is now playing out in an administrative law court. Nonprofit group Cause of Action in November also filed a lawsuit in Washington federal court against the FTC on behalf of LabMD.

The FTC has tried to fill the gap left by the congressional stalemate on cybersecurity legislation, which has left the U.S. without a clear national data-security regulator. The agency continues to act as a “de facto data protection authority,” Jason Weinstein, a partner at Steptoe & Johnson LLP who specializes in privacy and data-security matters, told Risk & Compliance Journal in September.

For now, the agency looks to continue its enforcement efforts. “Absent leadership from Congress, this patchwork stopgap approach to cybercrime isn’t likely to change any time soon,” said Mr. Newman.